The purpose of this blog post is to document the configuration steps required to configure Wired 802.1x and MAB authentication on Cisco Catalyst switches using Cisco ISE 2.0 as the RADIUS server. ISE will be configured to use Microsoft AD as the External Identity Store to authenticate the users and computer onto the AD domain.

The switch is already configured for VLAN, Routing etc and any device plugged into the switch will be able to access the network. Basic ISE functionality has already been configured (integration with AD/PKI).

Duplicate that rule below, rename the duplicated rule and call it “Domain Computers”

Change the ExternalGroup to EQUALS /Users/Domain Computers

Create a new rule above the Default rule (and below the 802.1x rules) – called “MAB”

Leave Identity Group condition as “Any”

Select other conditions and “Select Existing Condition from Library”

Select “Wired_MAB” from compound condition list

Click SAVE at the bottom of the screen

Verification

You can verify successful or failed authentication/authorization from ISE within the RADIUS LiveLog section. This will reveal details of Identity (Username), EndPoint Profile, Authentication Policy matched, Authorization Policy matched and the applied Authorization Profile.

From the switch you can use the command “show authentication session interface fastethernet 1/0/1“. This will identify what authentication method was used (dot1x or mab), currently logon user or computer (determined by the prefix of host/ )” and the IP address of the device connected to the port amongst other things.

If a device is connected to the port that is unable to support 802.1x then it will fail over to MAB. From the screenshot below you can confirm 802.1x failed and MAB authentication succeeded. The username would equal the mac address of the client device.

When using MAB authentication it is highly recommended to use Profiling to determine the fingerprint/make/model of the actual device and create an Authorization Rule specifically on the type of device connecting. Use a custom Authorization Profile that applies a Downloadable ACL (DACL) to restrict exactly what that un-authenticated device can access.

In closed mode if auth fails, then the user would not get access (assuming the default rule on ISE was to deny). If you wanted some kinds of guest access if auth fails then you’d create some rules in ISE to potentially apply a DACL (restricting access). HTH